locked
Windows showing up as not genuine, error 0x8004FE21 RRS feed

  • Question

  • We are having issues with a Dell Optiplex 3010, Windows 7 x64, SP1.  Everything worked fine fresh out of the box, until I was installing our company's specific software.  Office Standard 2010 installed just fine, as well as PDF Complete, .Net 2.0 Configuration Wizard (for outdated web-based software), Adobe Flash, Adobe Reader, and Java.  The problem comes when installing Lync 2010 x64 (Volume Licensing).  It installs just fine, but as soon as it does, the Security Center service stops working.  It changes it from auto-start to disabled, with no errors in the event viewer.  When I change it back to auto start, the service starts just fine, but it goes back to disabled within seconds. 

    After doing some research, I discovered that windows shows up as not valid anymore.  Below is the MGADiag log.  I've tried reinstalling everything from the built in Factory Image and the disk that came directly from Dell, but it breaks as soon as we install Lync.  This is driving us nuts, and we have multiple Optiplex 3010 machines that are doing this.  We've tried installing the latest Intel Rapid Storage drivers but that did not change.  SFC /scannow says that there are integrity violations, but it isn't able to fix all of them.  We are not concerned at all with data, as the user hasn't even received the machine yet.  Any ideas?  We haven't installed any antivirus yet on this machine, so as to avoid any conflicts.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
    Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
    Windows Product ID: 00371-OEM-8992671-00524
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {6A7E27C4-92CC-42FE-8350-9A29C0FB8E64}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6A7E27C4-92CC-42FE-8350-9A29C0FB8E64}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>CBX3   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700524-02-1033-7601.0000-3652013
    Installation ID: 017644968056766821704982002783835304670331514004396214
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 733WD
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 1/2/2014 9:39:50 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000008001
    Event Time Stamp: 12:31:2013 13:11
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui


    HWID Data-->
    HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            DELL          CBX3   
      FACP            DELL          CBX3   
      HPET            DELL          CBX3   
      MCFG            DELL          CBX3   
      FPDT            DELL          CBX3   
      ASF!            INTEL          HCG
      SSDT            SataRe        SataTabl
      SSDT            SataRe        SataTabl
      SSDT            SataRe        SataTabl
      DMAR            INTEL         SNB
      SLIC            DELL          CBX3
    Thursday, January 2, 2014 8:47 PM

Answers

  • That's worrying.

    Check any other affected machine - you may have a worm on the network that's got in under the radar somehow and is spreading nasties around :(

    I'd also take this machine off the network, and run an offline security scanner on it - http://www.microsoft.com/security/scanner/en-gb/default.aspx is pretty good, or you can use your favoured one and create the boot disk on a known-clean machine.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
    Friday, January 3, 2014 6:32 PM
    Moderator
  • Hey Noel,

    You hit the nail on the head.  I had the issue a few weeks ago and resolved it by downloading a new copy of Lync 2010 from the Volume Licensing website.  I went ahead and deleted the copy we had saved on our file server and replaced it with this one that I had just downloaded.  A few days later, I came back and used the copy I had recently uploaded to the server, and had issues again.  I figured that since it was a brand new copy, no way it would cause issues.  We are in the process of combing through the server for viruses.  Any hints on where we can look or the best way to do it?  This is a file server that many people use, and although we haven't had any virus issues come up recently, we want to take care of this one as fast as possible.

    • Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
    Friday, January 3, 2014 7:33 PM

All replies

  • Please run a full CHKDSK and SFC scan....

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

    CHKDSK C: /R

    and hit the Enter key.

    You will be told that the drive is locked,

    and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

    The CHKDSK will take a few hours depending on the size of the drive, so be patient!

    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -

    then run the SFC.

    SFC -System File Checker - Instructions

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

    SFC /SCANNOW

    and hit the Enter key

    Wait for the scan to finish - make a note of any error messages - and then reboot.

    Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.

    Post a new MGADiag report with details of any error messages encountered.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 2, 2014 9:08 PM
    Moderator
  • Hi Noel,

    Thanks in advance for the help.  I ran the chkdsk and didn't see any errors.  When the SFC scan finished, it said that it found integrity violations and it couldn't fix all of them, so some of them would be fixed on a reboot.  Here is the link for the CBS.log: https://skydrive.live.com/redir?resid=8A953BEC8992C1D0!2592&authkey=!AFIe9iZ-gPTFEuY&ithint=file%2c.log

    Here is the WGADiag from after the chkdsk and sfc scannow.

    Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data-->

    Validation Code: 0x8004FE21 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-JHV4K-9VW9H-RFD9G Windows Product Key Hash: Exj6FPDM+80pRf+sv/UAbh+fhkU= Windows Product ID: 00371-OEM-9321904-93017 Windows Product ID Type: 8 Windows License Type: COA SLP Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {CC4EA63F-46BA-4A85-8633-2A8FB7AD65B7}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Professional Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.130828-1532 TTS Error: Validation Diagnostic: Resolution Status: N/A

    Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002

    Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data--> File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003

    Other data--> Office Details: <GenuineResults><MachineData><UGUID>{CC4EA63F-46BA-4A85-8633-2A8FB7AD65B7}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RFD9G</PKey><PID>00371-OEM-9321904-93017</PID><PIDType>8</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>CBX3   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data--> Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel Activation ID: da22eadd-46dc-4056-a287-f5041c852470 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00186-219-093017-02-1033-7601.0000-0022014 Installation ID: 019934913150087910968895249246892974481846077525312055 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: RFD9G License Status: Initial grace period Time remaining: 39300 minute(s) (27 day(s)) Remaining Windows rearm count: 3 Trusted time: 1/3/2014 7:57:45 AM

    Windows Activation Technologies--> HrOffline: 0x8004FE21 HrOnline: N/A HealthStatus: 0x0000000000000001 Event Time Stamp: 1:2:2014 20:31 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\wat\watadminsvc.exe

    HWID Data--> HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=

    OEM Activation 1.0 Data--> N/A

    OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information:   ACPI Table Name OEMID Value OEMTableID Value   APIC   DELL    CBX3     FACP   DELL    CBX3     HPET   DELL    CBX3     MCFG   DELL    CBX3     FPDT   DELL    CBX3     ASF!   INTEL    HCG   SSDT   SataRe  SataTabl   SSDT   SataRe  SataTabl   SSDT   SataRe  SataTabl   DMAR   INTEL   SNB   SLIC   DELL    CBX3

    Friday, January 3, 2014 2:02 PM
  • Here's an extract from the summary report...

    	Line 17960: 2014-01-03 07:54:37, Info                  CSI    00000450 [SR] Repairing 19 (0x0000000000000013) components
    	Line 17961: 2014-01-03 07:54:37, Info                  CSI    00000451 [SR] Beginning Verify and Repair transaction
    	Line 17964: 2014-01-03 07:54:37, Info                  CSI    00000453 [SR] Cannot repair member file [l:14{7}]"alg.exe" of Microsoft-Windows-ALG, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17967: 2014-01-03 07:54:38, Info                  CSI    00000455 [SR] Cannot repair member file [l:24{12}]"wbengine.exe" of Microsoft-Windows-BLB-Engine-Main, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17970: 2014-01-03 07:54:38, Info                  CSI    00000457 [SR] Cannot repair member file [l:18{9}]"msdtc.exe" of Microsoft-Windows-COM-DTC-Runtime, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17973: 2014-01-03 07:54:38, Info                  CSI    00000459 [SR] Cannot repair member file [l:22{11}]"dllhost.exe" of Microsoft-Windows-COM-Surrogate, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17976: 2014-01-03 07:54:38, Info                  CSI    0000045b [SR] Cannot repair member file [l:22{11}]"ehsched.exe" of Microsoft-Windows-ehome-services-ehsched, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17979: 2014-01-03 07:54:38, Info                  CSI    0000045d [SR] Cannot repair member file [l:20{10}]"FXSSVC.exe" of Microsoft-Windows-Fax-Service, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17982: 2014-01-03 07:54:38, Info                  CSI    0000045f [SR] Cannot repair member file [l:24{12}]"iexplore.exe" of Microsoft-Windows-IE-InternetExplorer-Optional, Version = 8.0.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17985: 2014-01-03 07:54:38, Info                  CSI    00000461 [SR] Cannot repair member file [l:22{11}]"msiexec.exe" of Microsoft-Windows-Installer-Executable, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17988: 2014-01-03 07:54:38, Info                  CSI    00000463 [SR] Cannot repair member file [l:24{12}]"DVDMaker.exe" of Microsoft-Windows-OpticalMediaDisc-Wizard, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17991: 2014-01-03 07:54:38, Info                  CSI    00000465 [SR] Cannot repair member file [l:26{13}]"UI0Detect.exe" of Microsoft-Windows-Session0Viewer, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17994: 2014-01-03 07:54:38, Info                  CSI    00000467 [SR] Cannot repair member file [l:24{12}]"snmptrap.exe" of Microsoft-Windows-SNMP-Trap-Service, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 17997: 2014-01-03 07:54:38, Info                  CSI    00000469 [SR] Cannot repair member file [l:14{7}]"mip.exe" of Microsoft-Windows-TabletPC-MathInputPanel, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18000: 2014-01-03 07:54:38, Info                  CSI    0000046b [SR] Cannot repair member file [l:36{18}]"ShapeCollector.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18003: 2014-01-03 07:54:38, Info                  CSI    0000046d [SR] Cannot repair member file [l:48{24}]"InputPersonalization.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18006: 2014-01-03 07:54:38, Info                  CSI    0000046f [SR] Cannot repair member file [l:38{19}]"ConvertInkStore.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18009: 2014-01-03 07:54:38, Info                  CSI    00000471 [SR] Cannot repair member file [l:20{10}]"TabTip.exe" of Microsoft-Windows-TabletPC-InputPanel, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18012: 2014-01-03 07:54:38, Info                  CSI    00000473 [SR] Cannot repair member file [l:18{9}]"VSSVC.exe" of Microsoft-Windows-VssService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18015: 2014-01-03 07:54:38, Info                  CSI    00000475 [SR] Cannot repair member file [l:14{7}]"vds.exe" of Microsoft-Windows-VirtualDiskService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18018: 2014-01-03 07:54:38, Info                  CSI    00000477 [SR] Cannot repair member file [l:24{12}]"WmiApSrv.exe" of Microsoft-Windows-WMI-Core, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18022: 2014-01-03 07:54:38, Info                  CSI    00000479 [SR] Cannot repair member file [l:24{12}]"mscorsvw.exe" of NetFx-MSCORSVW_EXE, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    	Line 18026: 2014-01-03 07:54:38, Info                  CSI    0000047b [SR] Cannot repair member file [l:24{12}]"mscorsvw.exe" of NetFx-MSCORSVW_EXE, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
    

    I'll post a fix for the problems a bit  later


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, January 3, 2014 2:54 PM
    Moderator
  • I've uploaded a file - jdoaa.zip - to my SkyDrive at Noel's SkyDrive

    Please download and save it.

    Right-click on the saved file and select Extract all...

    Change the target to C:\ and click on Extract

    Close all windows (it would be a good idea to print these instructions!)

    Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'

    Pick that

    You'll have to log in with your username and password.

    Pick the option to use a Command Prompt

    At the prompt type

    DIR C:\jdoaa

    hit the enter key - if you get a 'Not Found' error try

    DIR D:\jdoaa

    or

    DIR E:\jdoaa

    The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following
    command...

    XCOPY <drive>:\jdoaa  <drive>:\windows\winsxs /y /i /s /v /h

    (e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )

    run the command (it should take almost no time)and
    when the prompt returns, type

    EXIT

    and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

    Now run SFC /SCANNOW in an Elevated Command Prompt

    then reboot and upload the new CBS.log file to your SkyDrive Public folder, and post a new link

    Also run a new MGADiag report, and post the result.



    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, January 3, 2014 3:47 PM
    Moderator
  • Hi Noel,

    Here is the link for the new CBS.log (same error that it found violations but couldn't repair them all):

    https://skydrive.live.com/redir?resid=8A953BEC8992C1D0!2593&authkey=!AOxzyEd1TLrsoYA&ithint=file%2c.log

    Here is a new MGADiag:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
    Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
    Windows Product ID: 00371-OEM-8992671-00524
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>CBX3   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700524-02-1033-7601.0000-0032014
    Installation ID: 017644968056766821704982002783835304670331514004396214
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 733WD
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 1/3/2014 10:25:41 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000008001
    Event Time Stamp: 1:2:2014 20:31
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui


    HWID Data-->
    HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    CBX3  
      FACP   DELL    CBX3  
      HPET   DELL    CBX3  
      MCFG   DELL    CBX3  
      FPDT   DELL    CBX3  
      ASF!   INTEL    HCG
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      DMAR   INTEL   SNB
      SLIC   DELL    CBX3

    Friday, January 3, 2014 4:31 PM
  • This is very strange - none of the errors has been fixed, and another 16 have crept in!

    Please check the results of your CHKDSK....

    Open Event Viewer

    In the Left pane, navigate to the Windows Logs > Applications

    in the right pane, click on 'Filter current log'

    click n the down-arrow at the end of the 'Event Sources' box, and out a tick beside 'Wininit'

    click OK

    the latest event there should be your CHKDSK result - if not , then find it :)

    double-click on the entry, then click the Copy button in the popup window, and paste the results into your response.

    The next most likely explanation is malware....

    Please download and install  Malwarebytes Anti-malware (free version) from  http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation -  and update it, then run a full scan  in your main account, and Quick scans in any other user accounts.

    Delete everything it finds   


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, January 3, 2014 5:07 PM
    Moderator
  • Hey Noel,

    Here is the event viewer:

     

     

    Checking file system on C:

    The type of the file system is NTFS.

    A disk check has been scheduled.

    Windows will now check the disk.

    CHKDSK is verifying files (stage 1 of 5)...

    117248 file records processed. File verification completed.

    134 large file records processed. 0 bad file records processed. 2 EA records processed. 44 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)...

    155812 index entries processed. Index verification completed.

    0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)...

    117248 file SDs/SIDs processed. Cleaning up 239 unused index entries from index $SII of file 0x9.

    Cleaning up 239 unused index entries from index $SDH of file 0x9.

    Cleaning up 239 unused security descriptors.

    Security descriptor verification completed.

    19283 data files processed. CHKDSK is verifying Usn Journal...

    33708592 USN bytes processed. Usn Journal verification completed.

    CHKDSK is verifying file data (stage 4 of 5)...

    117232 files processed. File data verification completed.

    CHKDSK is verifying free space (stage 5 of 5)...

    112986438 free clusters processed. Free space verification is complete.

    Windows has checked the file system and found no problems.

    488282111 KB total disk space.

    36034320 KB in 96120 files.

    70320 KB in 19284 indexes.

    0 KB in bad sectors.

    231715 KB in use by the system.

    65536 KB occupied by the log file.

    451945756 KB available on disk.

    4096 bytes in each allocation unit.

    122070527 total allocation units on disk.

    112986439 allocation units available on disk.

    Internal Info:

    00 ca 01 00 d7 c2 01 00 ab 78 03 00 00 00 00 00 .........x......

    77 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 w...,...........

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

    Windows has finished checking your disk.

    Please wait while your computer restarts.

    I'll go ahead and install malwarebytes and run, but I'm not sure where the malware came from.  I'm getting these errors on multiple machines with a brand new install from the Dell disk.  Tried it from an ISO on the volume license website, and it all comes back to the same thing.  Everything works fine until we install Lync, which immediately causes the genuine error and the security center service stops.  I should note that when Lync installs, it also installs C++ Redistributable x64 and x86 9.0.30729.4148.  Once the install finishes for Lync, everything breaks.  Before that, everything runs perfectly.
    Friday, January 3, 2014 5:23 PM
  • Bizarre, MBAM actually found a few issues.  Here is a copy of the log file (I removed everything):

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.01.03.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Waident :: CF-KCSPARE1 [administrator]

    1/3/2014 11:38:18 AM
    mbam-log-2014-01-03 (11-38-18).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 318368
    Time elapsed: 15 minute(s), 58 second(s)

    Memory Processes Detected: 1
    C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> 292 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKLM\SYSTEM\CurrentControlSet\Services\WSearch (Trojan.FakeMS) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKLM\SYSTEM\CurrentControlSet\SERVICES\COMSYSAPP|Type (Hijack.Comsysapp) -> Bad: (272) Good: (16) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 9
    C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\jdoaa\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Windows\winsxs\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_7a09c587c282995a\TabTip32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17610_none_dbd0d3376679543d\SearchIndexer.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    (end)

     

    Here is the MGADiag afterwards (one file is no longer showing as mismatched):

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
    Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
    Windows Product ID: 00371-OEM-8992671-00524
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.130828-1532
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>CBX3   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700524-02-1033-7601.0000-0032014
    Installation ID: 017644968056766821704982002783835304670331514004396214
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 733WD
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 1/3/2014 12:00:33 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000001
    Event Time Stamp: 1:2:2014 20:31
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe


    HWID Data-->
    HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    CBX3  
      FACP   DELL    CBX3  
      HPET   DELL    CBX3  
      MCFG   DELL    CBX3  
      FPDT   DELL    CBX3  
      ASF!   INTEL    HCG
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      SSDT   SataRe  SataTabl
      DMAR   INTEL   SNB
      SLIC   DELL    CBX3  

    Friday, January 3, 2014 6:03 PM
  • That's worrying.

    Check any other affected machine - you may have a worm on the network that's got in under the radar somehow and is spreading nasties around :(

    I'd also take this machine off the network, and run an offline security scanner on it - http://www.microsoft.com/security/scanner/en-gb/default.aspx is pretty good, or you can use your favoured one and create the boot disk on a known-clean machine.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
    Friday, January 3, 2014 6:32 PM
    Moderator
  • Hey Noel,

    You hit the nail on the head.  I had the issue a few weeks ago and resolved it by downloading a new copy of Lync 2010 from the Volume Licensing website.  I went ahead and deleted the copy we had saved on our file server and replaced it with this one that I had just downloaded.  A few days later, I came back and used the copy I had recently uploaded to the server, and had issues again.  I figured that since it was a brand new copy, no way it would cause issues.  We are in the process of combing through the server for viruses.  Any hints on where we can look or the best way to do it?  This is a file server that many people use, and although we haven't had any virus issues come up recently, we want to take care of this one as fast as possible.

    • Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
    Friday, January 3, 2014 7:33 PM
  • I'm afraid that my knowledge of malware is way too outdated to be of any real use - I was at one time fairly proficient (back in 2005/6/7) but I'm way behind the curve currently.

    If it was me, then I'd flatten and rebuild this machine from the ground up - in quarantine.

    Once all required applications and security software are in place, and ONLY then, I'd bring back the data, after a remote scan with at least two different AV's (and MBAM!).

    I do realise that this sort of timescale may be difficult - but then it should avoid having to do it two or three times!

    If you want some really expert advice, you need to go to specialist malware forums such as www.bleepingcomputer.com and others.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, January 3, 2014 11:25 PM
    Moderator